Blocking Access to the TS "C" and "D" Drive

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

I have a company that is just starting to use terminal server. The company
is small and the Terminal Server has been licensed on their main file server.
They want the users to have access to the file shares, but not the root of
the hard drives on the server, in this case, the C and D drive. Is there a
way to block access to those drives during a TS session while still allowing
access to mapped network drives (that may point back to folders on the local
(to TS) C and D drives?
 
Which OS are you running on the server?
You can and should do two things:

1) hide those drives from the users through a Group Policy. Note
that this is a cosmetic fix only, it's much more convenient for the
users when they don't see the drives, but it does *not* give you
any security. That's why you also need to:

2) use NTFS permissions on the file system to keep users out of the
disk area where they should not have access.

278295 - How to Lock Down a Windows 2000 Terminal Services Session
http://support.microsoft.com/?kbid=278295

231289 - Using Group Policy Objects to Hide Specified Drives in My
Computer for Windows 2000
http://support.microsoft.com/?kbid=231289

Securing Windows 2000 Terminal Services
http://www.microsoft.com/technet/treeview/default.asp?
url=/technet/prodtechnol/win2kts/maintain/optimize/secw2kts.asp

Guide to Securing Microsoft Windows 2000 Terminal Services
http://nsa1.www.conxion.com/win2k/guides/w2k-19.pdf
 
Vera,

Thanks for the reply.

I did lock the drives down under a group policy, but they can still right
click the start button and select explore and see the C drive. The D drive
remains hidden.

This is running on Windows 2003 standard server.
 
Yes, that's why you need the NTFS permissions. Hide drives works
only in standard "File Open" and "Save as" dialog boxes, and not
very well there either.

--
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
http://hem.fyristorg.com/vera/IT
--- please respond in newsgroup, NOT by private email ---
 
Back
Top